← Back to team overview

mimblewimble team mailing list archive

Re: [POLL] Perfectly hiding vs perfectly binding


Did this get fully nailed down? Personally if the chain breaks and associations become known (no longer hiding), won't the value drop dramatically? Then I don't care if my value is permanently bound and safe, it is worth little. On the other hand, since there is so much talk of drivechains and cross chain pollination, can't I always back up my value to another chain, so that if MimWim is broken and value is created out of thin air, at least my privacy won't be broken, and ideally I would have the value stored in some other, more binding chain?

It struck me (and this is clearly an immense technical overhead idea and likely very bad) that you could have two chains a MIM and a WIM one that was binding and one that was hiding, and you would move value from one to the other depending on your use case. Store it on the binding chain, but switch it over to the hiding chain for transactions. I think we are all assuming future chain interoperability, why not embrace it from the getgo and have our cake and eat it to? Other than the fact that it essentially means building two chains from scratch that is....

We already have binding chains right? Why not be the first hiding chain? It seemed to me Andrew and Ignotus both intuitively felt hiding was a better proposition, and I agree, but now it looks like we are heading in the other direction? I may very well be missing quite a bit here.

Sent with [ProtonMail](https://protonmail.com) Secure Email.

> -------- Original Message --------
> Subject: Re: [Mimblewimble] [POLL] Perfectly hiding vs perfectly binding
> Local Time: August 19, 2017 2:46 PM
> UTC Time: August 19, 2017 9:46 PM
> From: apoelstra@xxxxxxxxxxxxxx
> To: Ignotus Peverell <igno.peverell@xxxxxxxxxxxxxx>
> mimblewimble@xxxxxxxxxxxxxxxxxxx <mimblewimble@xxxxxxxxxxxxxxxxxxx>
> On Fri, Aug 18, 2017 at 07:37:33PM -0400, Ignotus Peverell wrote:
>> I think it makes sense. It"s a reasonable price to pay and I like that it makes it a lot easier to scan your unspent outputs. One question: switch commitments reuse H and compute SHA256(rH). Any particular reason why we"d want yet another generator?
> If I remember right, the crypto for unconditionally-sound rangeproofs [1] is simpler if we have a separate and dedicated generator for the second point. But I can"t recall the details now, I"m feeling unwell and my head is foggy. Will need to revisit it.
>> And we"d likely use blake2 again instead of SHA256 but that"s a detail.
> Sure :)
> [1] https://github.com/apoelstra/secp256k1-mw/pull/1
> --
> Andrew Poelstra
> Mathematics Department, Blockstream
> Email: apoelstra at wpsoftware.net
> Web: https://www.wpsoftware.net/andrew
> "A goose alone, I suppose, can know the loneliness of geese
> who can never find their peace,
> whether north or south or west or east"
> --Joanna Newsom
> --
> Mailing list: https://launchpad.net/~mimblewimble
> Post to : mimblewimble@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~mimblewimble
> More help : https://help.launchpad.net/ListHelp

Follow ups